Update e2e tests to be partitional

Signed-off-by: Alex Richman <[email protected]>

Author: ARichman555

e2e/aws_helpers.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/acmpca"
@@ -150,8 +151,9 @@ func deleteAccessKey(ctx context.Context, cfg aws.Config, userName string, acces
 	}
 }
 
-func deleteCertificateAuthority(ctx context.Context, cfg aws.Config, caArn string) {
+func (testCtx *TestContext) deleteCertificateAuthority(ctx context.Context, cfg aws.Config, name string) {
 	pcaClient := acmpca.NewFromConfig(cfg)
+	caArn := testContext.caArns[name]
 
 	updateCAParams := acmpca.UpdateCertificateAuthorityInput{
 		CertificateAuthorityArn: &caArn,
@@ -175,20 +177,21 @@ func deleteCertificateAuthority(ctx context.Context, cfg aws.Config, caArn strin
 		panic(deleteErr.Error())
 	}
 
+	delete(testContext.caArns, name)
 }
 
-func createCertificateAuthority(ctx context.Context, cfg aws.Config, isRSA bool) string {
+func (testCtx *TestContext) createCertificateAuthority(ctx context.Context, cfg aws.Config, name string, signingAlgorithm types.SigningAlgorithm) {
 	pcaClient := acmpca.NewFromConfig(cfg)
 
-	var signingAlgorithm types.SigningAlgorithm
 	var keyAlgorithm types.KeyAlgorithm
 
-	if isRSA {
-		signingAlgorithm = types.SigningAlgorithmSha256withrsa
+	switch signingAlgorithm {
+	case types.SigningAlgorithmSha256withrsa:
 		keyAlgorithm = types.KeyAlgorithmRsa2048
-	} else {
-		signingAlgorithm = types.SigningAlgorithmSha256withecdsa
+	case types.SigningAlgorithmSha256withecdsa:
 		keyAlgorithm = types.KeyAlgorithmEcPrime256v1
+	default:
+		panic("Unknown signing algorithm: " + signingAlgorithm)
 	}
 
 	commonName := "CMTest-" + strconv.FormatInt(time.Now().Unix(), 10)
@@ -211,6 +214,7 @@ func createCertificateAuthority(ctx context.Context, cfg aws.Config, isRSA bool)
 	}
 
 	caArn := createOutput.CertificateAuthorityArn
+	testCtx.caArns[name] = *caArn
 
 	getCsrParams := acmpca.GetCertificateAuthorityCsrInput{
 		CertificateAuthorityArn: caArn,
@@ -235,7 +239,7 @@ func createCertificateAuthority(ctx context.Context, cfg aws.Config, isRSA bool)
 		CertificateAuthorityArn: caArn,
 		Csr:                     []byte(*caCsr),
 		SigningAlgorithm:        signingAlgorithm,
-		TemplateArn:             aws.String("arn:aws:acm-pca:::template/RootCACertificate/V1"),
+		TemplateArn:             aws.String("arn:" + testCtx.partition + ":acm-pca:::template/RootCACertificate/V1"),
 		Validity: &types.Validity{
 			Type:  types.ValidityPeriodTypeDays,
 			Value: aws.Int64(365),
@@ -279,8 +283,6 @@ func createCertificateAuthority(ctx context.Context, cfg aws.Config, isRSA bool)
 	if importCertErr != nil {
 		panic(importCertErr.Error())
 	}
-
-	return *caArn
 }
 
 func getAccountID(ctx context.Context, cfg aws.Config) string {
@@ -295,6 +297,23 @@ func getAccountID(ctx context.Context, cfg aws.Config) string {
 	return *callerID.Account
 }
 
+func getPartition(ctx context.Context, cfg aws.Config) string {
+	stsClient := sts.NewFromConfig(cfg)
+
+	callerID, callerErr := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+
+	if callerErr != nil {
+		panic(callerErr.Error())
+	}
+
+	parsedArn, parseErr := arn.Parse(*callerID.Arn)
+	if parseErr != nil {
+		return "aws"
+	}
+
+	return parsedArn.Partition
+}
+
 func assumeRole(ctx context.Context, cfg aws.Config, roleName string, region string) aws.Config {
 
 	stsClient := sts.NewFromConfig(cfg)

e2e/awspcaissuer_test.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/acmpca/types"
 	"github.com/cert-manager/aws-privateca-issuer/pkg/api/v1beta1"
 	clientV1beta1 "github.com/cert-manager/aws-privateca-issuer/pkg/clientset/v1beta1"
 	cmclientv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
@@ -31,7 +32,7 @@ type TestContext struct {
 	xaCfg     aws.Config
 	caArns    map[string]string
 
-	region, accessKey, secretKey, endEntityResourceShareArn, subordinateCaResourceShareArn, userName, policyArn string
+	region, partition, accessKey, secretKey, endEntityResourceShareArn, subordinateCaResourceShareArn, userName, policyArn string
 }
 
 // These are variables specific to each test
@@ -111,6 +112,8 @@ func InitializeTestSuite(suiteCtx *godog.TestSuiteContext) {
 			panic(cfgErr.Error())
 		}
 
+		testContext.partition = getPartition(ctx, cfg)
+
 		testContext.iclient, err = clientV1beta1.NewForConfig(clientConfig)
 
 		if err != nil {
@@ -124,22 +127,22 @@ func InitializeTestSuite(suiteCtx *godog.TestSuiteContext) {
 		}
 
 		// Create CAs to be used in testing
-		testContext.caArns["RSA"] = createCertificateAuthority(ctx, cfg, true)
+		testContext.createCertificateAuthority(ctx, cfg, "RSA", types.SigningAlgorithmSha256withrsa)
 		log.Printf("Created RSA CA with arn %s", testContext.caArns["RSA"])
 
-		testContext.caArns["ECDSA"] = createCertificateAuthority(ctx, cfg, false)
+		testContext.createCertificateAuthority(ctx, cfg, "ECDSA", types.SigningAlgorithmSha256withecdsa)
 		log.Printf("Created EC CA with arn %s", testContext.caArns["ECDSA"])
 
 		xaRole, xaRoleExists := os.LookupEnv(CrossAccountRoleKey)
 		if xaRoleExists {
 			testContext.xaCfg = assumeRole(ctx, cfg, xaRole, testContext.region)
 
-			testContext.caArns["XA"] = createCertificateAuthority(ctx, testContext.xaCfg, true)
+			testContext.createCertificateAuthority(ctx, testContext.xaCfg, "XA", types.SigningAlgorithmSha256withrsa)
 
 			log.Printf("Created XA CA with arn %s", testContext.caArns["XA"])
 
-			endEntityResourcePermission := "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority"
-			subordinateCaResourcePermission := "arn:aws:ram::aws:permission/AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority"
+			endEntityResourcePermission := "arn:" + testContext.partition + ":ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority"
+			subordinateCaResourcePermission := "arn:" + testContext.partition + ":ram::aws:permission/AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority"
 
 			testContext.endEntityResourceShareArn = shareCA(ctx, cfg, testContext.xaCfg, testContext.caArns["XA"], endEntityResourcePermission)
 			testContext.subordinateCaResourceShareArn = shareCA(ctx, cfg, testContext.xaCfg, testContext.caArns["XA"], subordinateCaResourcePermission)
@@ -174,10 +177,10 @@ func InitializeTestSuite(suiteCtx *godog.TestSuiteContext) {
 			panic(cfgErr.Error())
 		}
 
-		deleteCertificateAuthority(ctx, cfg, testContext.caArns["RSA"])
+		testContext.deleteCertificateAuthority(ctx, cfg, "RSA")
 		log.Printf("Deleted the RSA CA")
 
-		deleteCertificateAuthority(ctx, cfg, testContext.caArns["ECDSA"])
+		testContext.deleteCertificateAuthority(ctx, cfg, "ECDSA")
 		log.Printf("Deleted the EC CA")
 
 		deleteAccessKey(ctx, cfg, testContext.userName, testContext.accessKey)
@@ -198,7 +201,7 @@ func InitializeTestSuite(suiteCtx *godog.TestSuiteContext) {
 			deleteResourceShare(ctx, testContext.xaCfg, testContext.subordinateCaResourceShareArn)
 			log.Printf("Deleted resource shares associated with XA CA")
 
-			deleteCertificateAuthority(ctx, testContext.xaCfg, testContext.caArns["XA"])
+			testContext.deleteCertificateAuthority(ctx, testContext.xaCfg, "XA")
 			log.Printf("Deleted the XA CA")
 		}
 	})

e2e/blog_test.sh

@@ -17,6 +17,7 @@ set_variables() {
     export SECURITY_GROUP_ID=$(curl_with_token --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/security-group-ids)
     export VPC_ID=$(curl_with_token --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id)
     export PORT=6443
+    export AWS_PARTITION=$(aws sts get-caller-identity --query 'Arn' --output text | cut -d':' -f2)
     tag_subnet
     add_inbound_rule
     create_ca
@@ -39,7 +40,7 @@ create_target_group() {
 
     LOAD_BALANCER_NAME=$(cut -d'.' -f1 <<<"$LOAD_BALANCER_HOSTNAME" | sed 's/\(.*\)-/\1\//')
 
-    LOAD_BALANCER_ARN=arn:aws:elasticloadbalancing:$AWS_REGION:$(aws sts get-caller-identity | jq -r ".Account"):loadbalancer/net/$LOAD_BALANCER_NAME
+    LOAD_BALANCER_ARN=arn:${AWS_PARTITION}:elasticloadbalancing:$AWS_REGION:$(aws sts get-caller-identity | jq -r ".Account"):loadbalancer/net/$LOAD_BALANCER_NAME
 
     LISTENER_ARN=$(aws elbv2 describe-listeners --load-balancer-arn $LOAD_BALANCER_ARN | jq -r ".Listeners[0].ListenerArn")
 
@@ -55,7 +56,7 @@ create_ca() {
 
     aws acm-pca get-certificate-authority-csr --certificate-authority-arn $CA_ARN --output text --region us-east-1 >$E2E_DIR/blog-test/ca.csr
 
-    CERTIFICATE_ARN=$(aws acm-pca issue-certificate --certificate-authority-arn $CA_ARN --csr fileb://$E2E_DIR/blog-test/ca.csr --signing-algorithm SHA256WITHRSA --template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 --validity Value=365,Type=DAYS --query 'CertificateArn' --output text)
+    CERTIFICATE_ARN=$(aws acm-pca issue-certificate --certificate-authority-arn $CA_ARN --csr fileb://$E2E_DIR/blog-test/ca.csr --signing-algorithm SHA256WITHRSA --template-arn arn:${AWS_PARTITION}:acm-pca:::template/RootCACertificate/V1 --validity Value=365,Type=DAYS --query 'CertificateArn' --output text)
 
     aws acm-pca wait certificate-issued --certificate-authority-arn $CA_ARN --certificate-arn $CERTIFICATE_ARN